Modules

First PublishedFeb 16, 2026Last UpdatedFeb 22, 2026ByAtif Alam

Modules are the units of work in Ansible. Each task in a playbook calls a module, and Ansible ships with thousands of them. Modules are idempotent — they check the current state before making changes, so running them twice produces the same result.

Package Management

apt (Debian/Ubuntu)

1
- name: Install nginx
2
  apt:
3
    name: nginx
4
    state: present
5
    update_cache: true
6

7
- name: Install multiple packages
8
  apt:
9
    name:
10
      - nginx
11
      - curl
12
      - git
13
      - htop
14
    state: present
15

16
- name: Remove a package
17
  apt:
18
    name: apache2
19
    state: absent
20

21
- name: Upgrade all packages
22
  apt:
23
    upgrade: dist
24
    update_cache: true

yum / dnf (RHEL/CentOS/Fedora)

1
- name: Install nginx
2
  yum:
3
    name: nginx
4
    state: present
5

6
- name: Install with dnf (Fedora/RHEL 8+)
7
  dnf:
8
    name: nginx
9
    state: present

package (Generic)

Automatically uses the right package manager for the OS:

1
- name: Install nginx (works on any distro)
2
  package:
3
    name: nginx
4
    state: present

pip (Python)

1
- name: Install Python packages
2
  pip:
3
    name:
4
      - flask
5
      - gunicorn
6
    state: present
7
    virtualenv: /opt/myapp/venv

File Management

copy

Copy files from the control node to managed hosts:

1
- name: Copy nginx config
2
  copy:
3
    src: files/nginx.conf
4
    dest: /etc/nginx/nginx.conf
5
    owner: root
6
    group: root
7
    mode: "0644"
8
    backup: true         # keep a backup of the original
9

10
- name: Write content directly
11
  copy:
12
    content: |
13
      server {
14
        listen 80;
15
        server_name example.com;
16
      }
17
    dest: /etc/nginx/sites-available/default

template

Copy a Jinja2 template, rendering variables:

1
- name: Deploy app config
2
  template:
3
    src: templates/app.conf.j2
4
    dest: /etc/app/config.yml
5
    owner: deploy
6
    mode: "0640"

See Variables and Templates for Jinja2 syntax.

file

Manage file/directory properties or create symlinks:

1
- name: Create a directory
2
  file:
3
    path: /opt/myapp
4
    state: directory
5
    owner: deploy
6
    group: deploy
7
    mode: "0755"
8

9
- name: Create a symlink
10
  file:
11
    src: /opt/myapp/current/public
12
    dest: /var/www/html
13
    state: link
14

15
- name: Delete a file
16
  file:
17
    path: /tmp/old-file.txt
18
    state: absent

lineinfile

Ensure a specific line exists in a file (or is absent):

1
- name: Set timezone in config
2
  lineinfile:
3
    path: /etc/app/config.ini
4
    regexp: '^TIMEZONE='
5
    line: 'TIMEZONE=UTC'
6

7
- name: Remove a line
8
  lineinfile:
9
    path: /etc/crontab
10
    regexp: '^.*old-job.*$'
11
    state: absent

blockinfile

Insert or update a block of text in a file:

1
- name: Add SSH banner
2
  blockinfile:
3
    path: /etc/ssh/sshd_config
4
    block: |
5
      Banner /etc/ssh/banner.txt
6
      MaxAuthTries 3
7
    marker: "# {mark} ANSIBLE MANAGED BLOCK - SSH hardening"

synchronize

Wraps rsync for syncing directories or large file sets to many hosts. Use it when you need to push an entire directory (e.g. app tree, static assets) rather than a single file. By default it runs on the control node and rsyncs to each host in turn; the source path is relative to the control node.

Key arguments: src (local path), dest (path on the managed host), delete (set to yes to mirror — remove files on the host that are not in source), rsync_opts for extra rsync flags. Use delegate_to: "{{ inventory_hostname }}" if you want the sync to run on each host (e.g. pull from a shared location) instead of from the control node.

1
- name: Sync app directory to hosts
2
  synchronize:
3
    src: app/
4
    dest: /opt/myapp/
5
    delete: yes
6
    rsync_opts:
7
      - "--exclude=.git"

Service Management

service

Start, stop, restart, or enable services:

1
- name: Start and enable nginx
2
  service:
3
    name: nginx
4
    state: started
5
    enabled: true
6

7
- name: Restart nginx
8
  service:
9
    name: nginx
10
    state: restarted
11

12
- name: Stop a service
13
  service:
14
    name: old-app
15
    state: stopped
16
    enabled: false

systemd

More control over systemd-specific features:

1
- name: Reload systemd daemon
2
  systemd:
3
    daemon_reload: true
4

5
- name: Enable and start a service
6
  systemd:
7
    name: myapp
8
    state: started
9
    enabled: true

User and Group Management

1
- name: Create a group
2
  group:
3
    name: deploy
4
    state: present
5

6
- name: Create a user
7
  user:
8
    name: deploy
9
    group: deploy
10
    groups: sudo,docker
11
    append: true
12
    shell: /bin/bash
13
    create_home: true
14

15
- name: Add authorized SSH key
16
  authorized_key:
17
    user: deploy
18
    key: "{{ lookup('file', 'files/deploy_key.pub') }}"
19
    state: present
20

21
- name: Remove a user
22
  user:
23
    name: olduser
24
    state: absent
25
    remove: true       # also remove home directory

Commands and Scripts

command

Run a command (no shell features like pipes or redirects):

1
- name: Check app version
2
  command: /opt/myapp/bin/myapp --version
3
  register: app_version
4
  changed_when: false

shell

Run a command through the shell (supports pipes, redirects, env vars):

1
- name: Find large log files
2
  shell: find /var/log -name "*.log" -size +100M | head -20
3
  register: large_logs
4
  changed_when: false

script

Copy a local script to the remote host and execute it:

1
- name: Run setup script
2
  script: scripts/setup.sh
3
  args:
4
    creates: /opt/myapp/.installed    # skip if this file exists

raw

Execute a command without the module system (useful for bootstrapping Python):

1
- name: Install Python on minimal hosts
2
  raw: apt-get install -y python3
3
  when: ansible_python_interpreter is not defined

When to Use Which

Module	Use When
`command`	Simple commands, no shell features needed
`shell`	Need pipes, redirects, or shell variables
`script`	Running a multi-line local script on remote hosts
`raw`	Bootstrapping (no Python on target yet)

Prefer specific modules (like apt, file, service) over command/shell whenever possible — specific modules are idempotent, command and shell are not.

Downloading and Archiving

1
- name: Download a file
2
  get_url:
3
    url: https://example.com/app-v2.tar.gz
4
    dest: /tmp/app-v2.tar.gz
5
    checksum: sha256:abc123...
6

7
- name: Extract archive
8
  unarchive:
9
    src: /tmp/app-v2.tar.gz
10
    dest: /opt/myapp/
11
    remote_src: true

Cron Jobs

1
- name: Schedule a backup
2
  cron:
3
    name: "Daily backup"
4
    minute: "0"
5
    hour: "2"
6
    job: "/opt/scripts/backup.sh >> /var/log/backup.log 2>&1"
7
    user: root

Finding Module Documentation

1
ansible-doc apt                    # show docs for the apt module
2
ansible-doc -l                     # list all available modules
3
ansible-doc -l | grep aws          # find AWS modules
4
ansible-doc -s copy                # show short snippet/example

Or browse the Ansible module index online.

Writing Custom Modules

When no built-in module fits your needs, you can write your own in Python. Custom modules follow a simple pattern: receive JSON input, do work, return JSON output.

Module Location

Place custom modules in a library/ directory next to your playbook or role:

1
project/
2
  playbooks/
3
    site.yml
4
  library/
5
    my_custom_module.py    # available to all playbooks
6
  roles/
7
    myapp/
8
      library/
9
        app_health.py      # available only in this role

Minimal Module Template

1
#!/usr/bin/python
2
from ansible.module_utils.basic import AnsibleModule
3

4
def run_module():
5
    # Define accepted arguments
6
    module_args = dict(
7
        name=dict(type='str', required=True),
8
        state=dict(type='str', default='present', choices=['present', 'absent']),
9
        force=dict(type='bool', default=False),
10
    )
11

12
    # Initialize the module
13
    module = AnsibleModule(
14
        argument_spec=module_args,
15
        supports_check_mode=True,
16
    )
17

18
    # Get parameters
19
    name = module.params['name']
20
    state = module.params['state']
21

22
    # Initialize result
23
    result = dict(
24
        changed=False,
25
        message='',
26
    )
27

28
    # Check mode — report what would change without doing it
29
    if module.check_mode:
30
        result['changed'] = True
31
        module.exit_json(**result)
32

33
    # Do the actual work
34
    try:
35
        if state == 'present':
36
            # Create or ensure resource exists
37
            result['changed'] = True
38
            result['message'] = f'Resource {name} created'
39
        else:
40
            # Remove resource
41
            result['changed'] = True
42
            result['message'] = f'Resource {name} removed'
43

44
        module.exit_json(**result)
45

46
    except Exception as e:
47
        module.fail_json(msg=f'Error: {str(e)}', **result)
48

49
def main():
50
    run_module()
51

52
if __name__ == '__main__':
53
    main()

Using Your Custom Module

1
- name: Use custom module
2
  my_custom_module:
3
    name: myresource
4
    state: present
5
    force: true
6
  register: result
7

8
- debug:
9
    var: result.message

Key Patterns

Idempotency — Check current state before making changes:

1
# Check if resource already exists
2
current = get_current_state(name)
3
if current and state == 'present':
4
    result['changed'] = False
5
    result['message'] = f'{name} already exists'
6
    module.exit_json(**result)

Check mode support — Return what would change without doing it:

1
module = AnsibleModule(
2
    argument_spec=module_args,
3
    supports_check_mode=True,   # declare support
4
)
5

6
if module.check_mode:
7
    result['changed'] = would_change(name, state)
8
    module.exit_json(**result)

Running commands — Use module.run_command() instead of subprocess:

1
rc, stdout, stderr = module.run_command(['myapp', 'status', name])
2
if rc != 0:
3
    module.fail_json(msg=f'Command failed: {stderr}')

Returning data — Include useful info in the result for register:

1
result['resource_id'] = resource.id
2
result['resource_url'] = resource.url
3
module.exit_json(**result)

Custom Module Plugins (Action Plugins)

For more advanced use cases — action plugins run on the control node (not the target) and can manipulate how modules are executed. These go in action_plugins/ and are less common.

When to Write a Custom Module

Situation	Recommendation
A built-in module almost works	Use `command`/`shell` with `changed_when` first
You need this logic in multiple playbooks	Write a custom module
Complex API interaction with idempotency	Write a custom module
Simple one-off task	Use `command` or `uri` module instead

Key Takeaways

Prefer specific modules over command/shell — they’re idempotent and declarative.
Use copy for static files, template for files with variables, lineinfile/blockinfile for surgical edits. Use copy for single or few files; use synchronize for directory sync or large transfers.
service or systemd to manage services; apt/yum/package for packages.
Use command with changed_when: false for read-only checks.
Use ansible-doc <module> to look up any module’s arguments and examples.
Custom modules go in library/. Use AnsibleModule, support check mode, and be idempotent.